Python Liquid: Absolute paths escape filesystem loader search path

8.2 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.

Basic Information

ID CVE-2026-45017

Source GitHub_M

Published May 28, 2026 at 14:24

Modified May 28, 2026 at 15:57

Affected Product

Vendor jg-rp

Product liquid

Version < 2.2.0

Affected Versions jg-rp liquid < 2.2.0

CWE Classification

CWE-22

References

github.com /jg-rp/liquid/security/advisories/GHSA-8p4x-wr7x-3788

{
    "lastseen": "",
    "description": "Python Liquid is a Python engine for the Liquid template language. Prior to 2.2.0, the built-in FileSystemLoader and CachingFileSystemLoader do not guard against reading files outside their search paths when given an absolute path to resolve. This allows malicious template authors to load and render arbitrary files via the {% include %} and {% render %} tags. Targeted files would need to contain valid Liquid markup and be readable by the application process. This vulnerability is fixed in 2.2.0.",
    "published": "2026-05-28T14:24:27.928Z",
    "modified": "2026-05-28T15:57:12.837Z",
    "type": "cve",
    "title": "Python Liquid: Absolute paths escape filesystem loader search path",
    "source": "GitHub_M",
    "references": "https://github.com/jg-rp/liquid/security/advisories/GHSA-8p4x-wr7x-3788",
    "id": "CVE-2026-45017",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "jg-rp liquid < 2.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "liquid",
    "version": "< 2.2.0",
    "vendor": "jg-rp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Python Liquid: Absolute paths escape filesystem loader search path_CVE-2026-45017